The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Covered entities and business associates should take note of the court’s decision to provide guidance on their HIPAA compliance efforts and response to enforcement actions taken by HHS. This decision could significantly impact future HHS enforcement actions.

Background

Between 2012 and 2013, the healthcare provider notified HHS of three incidents involving stolen and lost devices containing electronic protected health information (ePHI). HHS investigated the incidents and then assessed the healthcare provider $4,348,000 in civil money penalties for alleged violations of the HIPAA provisions that address encryption and disclosures of PHI (45 CFR §§164.312(a)(2)(iv) and 164.502(a)).

The healthcare provider then unsuccessfully appealed the decision to an administrative law judge (ALJ) and to HHS’ Departmental Appeals Board. The healthcare provider then appealed the decision to the Fifth Circuit for review.

The Court’s Decision and Its Significance

The Fifth Circuit ruled that HHS’ civil money penalty order violated the Administrative Procedure Act because it was arbitrary, capricious and otherwise unlawful for four distinct reasons.

First, the court ruled that HHS misinterpreted HIPAA’s provision related to encryption (referred to in the decision as the “Encryption Rule”). Under 45 CFR §§164.312(a)(2)(iv) and 164.306(d), covered entities and business associates are required to “implement a mechanism to encrypt and decrypt [ePHI] or adopt some other ‘reasonable and appropriate’ method to limit access to patient data.” The court stated that all the Encryption Rule requires is for a covered entity or business associate to have a mechanism in place for encryption. Since the healthcare provider had a mechanism in place for encryption, it was in compliance with the Encryption Rule, “even if [the healthcare provider] could’ve or should’ve had a better one.” The court went on to state that:

[The Encryption Rule] does not require a covered entity to warrant that its mechanism provides bulletproof protection of “all systems containing ePHI.” […] Nor does it say anything about how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be. The regulation simply says “a mechanism.”

Second, the court concluded that HHS’ interpretation of the provision of HIPAA that regulates the use and disclosure of PHI (referred to in the decision as the “Disclosure Rule”) was too broad. In its decision, the court disagreed with the ALJ’s conclusion that the healthcare provider violated the Disclosure Rule because it lost control of the devices containing the ePHI. Rather, according to the court, in order for there to be an unlawful disclosure of ePHI under the Disclosure Rule, there must be “an affirmative act of disclosure, not a passive loss of information.” Therefore, none of the three incidents reported to HHS involved an unlawful disclosure of ePHI.

Third, the court found that HHS arbitrarily and capriciously imposed the civil money penalty order on the healthcare provider. In the decision, the court shared several examples of other incidents involving the theft of an unencrypted device for which HHS did not issue any penalties to the covered entity involved. The court went on to state that “an administrative agency cannot hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases.”

Fourth, the court found that the $4.3 million civil money penalty order violated the penalty caps that Congress specified in the HIPAA legislation. Prior to this matter being heard by the Fifth Circuit, HHS admitted that it did not have the authority to issue the $4.3 million civil money penalty and suggested that the penalty amount be reduced to $450,000.

Takeaways for HIPAA-Covered Entities and Business Associates

• This is the second example in a year where we saw successful court challenges by covered entities and business associates to HHS’ enforcement of HIPAA (the first being CIOX vs. Azar). This decision is encouraging for covered entities and business associates who are complying with HIPAA yet are receiving enforcement actions against them by HHS.
• This decision reinforces the importance of having administrative, technical and physical safeguards in place, in accordance with the HIPAA Security Rule. The court was able to rule in the healthcare provider’s favor because there was ample evidence in the administrative record that the healthcare provider spent considerable money and energy protecting ePHI and implementing improvements to its ePHI protections. Covered entities and business associates should implement compliance plans in order to demonstrate compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
• The court’s interpretation of what constitutes a “disclosure” may be an aberration and should probably not be relied on when evaluating whether an incident constitutes a disclosure that violates HIPAA. However, it is interesting to note that, in the court’s opinion, there needs to be proof that someone “outside” the entity actually received the ePHI.
• If covered entities and business associates receive a penalty from HHS, it is important to evaluate the accuracy of the penalty. As in this decision, HHS may have incorrectly calculated the penalty amount. However, HHS might be more consistent in its proposed civil money penalties in the future or find additional violations to penalize an entity for.